The security alert arrives just two months after Google belatedly admitted that data from an estimated 500,000 accounts had been exposed in March, due to a problem with the same API. But Google only revealed that data exposure in October, following inquiries from the Wall Street Journal (see: Google Forced to Reveal Exposure of Private Data).

The latest data exposure couldn't come at a worse time for the search firm because lawmakers and regulators are increasing their scrutiny of the security and data collection practices of technology giants, including Facebook, Twitter as well as Google.

But Google's quick notification shows it may have learned a lesson after its experience with the first exposure involving Google+, says Stephan Chenette, CTO of security vendor AttackIQ, which develops a threat-monitoring platform.

"Companies with repeated security incidents tend to lose even more public trust as it demonstrates a failure to learn from previous mistakes," Chenette says. "However, compared to Google's last breach, the company disclosed this bug much sooner and is trying to be more transparent."

Exposure Lasted Six Days

The latest Google+ problem exposed personal data that users had intended for only their friends to see - including their physical address, relationship status, birthdate and employer - to app developers. Google has released a full list of the exposed data collected by its People API.

Some of the types of data supplied by Google's People API for Google+, which the search giant says inadvertently exposed user data to app developers (Source: Google)

Even worse, the same kind of data was exposed for those people's connections, many of whom would likely have never consented to the permissions demanded by the app that their friends were using.

The exposure lasted six days, David Thacker, vice president of product management for G Suite, writes in a blog post. "No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way," he writes.

Financial data, national ID numbers, passwords or similar data that could be used for fraud was not exposed, he adds.

Google+ Shutdown Accelerated

The exposure occurred due to a bug in the Google+ People API, which developers who create apps that are compatible with the social network can access. Calling on the API allows app developers to pull data from a user's profile and see what kind of a content that user has indicated that they enjoyed or re-shared.

Thacker says that Google is contacting consumers and enterprises about the latest data exposure. But it remains unclear if Google plans to notify regulators. Reached for comment, a Google spokesman in Australia tells Information Security Media Group that the company had nothing to add, beyond what was in Thacker's blog post.

As a result of the data exposure, Google said it plans to accelerate its decommissioning of Google+, which was meant to be the search giant's alternative to Facebook but failed to gain traction.

Google will shut down all Google+ APIs within 90 days, and the entire consumer version of the service will be mothballed in April 2019, Thacker says. The time line is designed to give users enough time to transition away from Google+ and to "safely and securely download and migrate their data," he adds.

The revised timing updates Google's original shutdown plan, announced two months ago - when it first admitted to having exposed data via the same API - which was to deactivate Google+ by August 2019.

Google has said that its decision has been driven by poor consumer uptake and use of Google+. But it plans to continue offering an enterprise version of the social network.

Google failed to disclose the March data exposure, which involved 500,000 accounts, until it was queried about the episode by the Wall Street Journal. The publication reported that internal Google communications showed that the company was concerned about regulatory scrutiny and reputational damage if it went public with the Google+ security problems.

Subsequently, Google admitted that the initial API bug had been discovered and patched in March. But the technology giant has said it's unable to calculate exactly how many accounts might have been affected, because it was only keeping relevant logs for two weeks. Based on a two-week sampling period, however, Google estimated that 500,000 Google+ users were affected and that 438 apps for Google+ had access to the People API.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.